Information security systems and methods

ABSTRACT

Systems and methods for governing derived electronic resources are provided. In one embodiment, a digital resource is associated with one or more rules and a set of one or more computations, wherein the rules correspond to one or more conditions for accessing the digital resource and the computations operate upon the digital resource in order to provide a specific view of the digital resource that differs from the digital resource.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/432,545, filed Feb. 14, 2017, now pending, which is a continuation ofU.S. patent application Ser. No. 13/444,624, filed Apr. 11, 2012, nowU.S. Pat. No. 9,589,110, which claims the benefit of priority ofProvisional Application No. 61/474,212, filed Apr. 11, 2011, all ofwhich are hereby incorporated by reference in their entireties.

Systems and methods are presented for facilitating the secure,persistent governance of information content. It will be appreciatedthat these systems and methods are novel, as are many of the components,systems, and methods employed therein.

BRIEF DESCRIPTION OF THE DRAWINGS

The inventive body of work will be readily understood by referring tothe following detailed description, in conjunction with the accompanyingdrawings, in which:

FIG. 1A shows an illustrative system for distributing derived resources.

FIG. 1B shows an illustrative system for providing access to derivedresources.

FIG. 2 shows an example of a computation being run against a resource inaccordance with one embodiment.

FIG. 3 shows an illustrative system for governing electronic resources.

FIG. 4 shows a more detailed example of a system that could be used topractice embodiments of the inventive body of work.

DETAILED DESCRIPTION

A detailed description of the inventive body of work is provided below.While several embodiments are described, it should be understood thatthe inventive body of work is not limited to any one embodiment, butinstead encompasses numerous alternatives, modifications, andequivalents. In addition, while numerous specific details are set forthin the following description in order to provide a thoroughunderstanding of the inventive body of work, some embodiments can bepracticed without some or all of these details. Moreover, for thepurpose of clarity, certain technical material that is known in therelated art has not been described in detail in order to avoidunnecessarily obscuring the inventive body work.

Systems and methods are presented for facilitating the secure,persistent governance of information content. It will be appreciatedthat these systems and methods are novel, as are many of the components,systems, and methods employed therein.

Digital rights management (“DRM”) systems typically use cryptography topersistently associate a resource with a set of rules for governingaccess to that resource. In many cases, the resource to be protected isa piece of digital content, such as an electronic book, an audiovisualstream, or a video game. In order to access the resource, the user mayneed to indicate the action to be performed, which then triggers anevaluation of rules governing the resource for that particular action.If the action is allowed under the rules, the DRM system provides accessto the resource, as it was originally packaged. This type of resourcecan be thought of as “static”, since it is presented to a user in theform in which it was originally packaged (although decoding,decompression, or other computations that are effectively implicit inthe use of the resource may first need to be applied).

Some DRM systems are able to select a portion of a resource for access.For example, a DRM-enabled video player may provide access to a singlevideo track even though multiple tracks are encoded in one file. Therules evaluation engine typically allows the user to specify whichsubset of the resource is to be accessed. There has also been someeffort to provide different views of a packaged resource depending onbusiness model. For example it is possible to integrate a DRM systemwith the MPEG-4 SVC encoding scheme to allow lower- or higher-resolutionaccess to a video depending on the price paid for access to the video.In both of these cases, however, the resource and all of its possiblevariants are pre-computed and digitally signed so that they cannot bemodified.

Static resources (or portions thereof) are presented to the user exactlyas they were encoded by a packager. In contrast, a derived resource is aresource that is computed from an original resource by a computation(typically, but not necessarily, performed at the point of consumption)before presentation to the user.

In a preferred embodiment, the computations that produce derivedresources are expressed as computer-readable instructions for operatingon an original resource to produce a particular view of the originalresource. Although, in some embodiments, the computations may involvethe use of mathematical calculations, the term “computation,” as usedherein, is not so limited, and encompasses any set of instructions,procedures, methods, or other mechanisms for producing a particularpresentation of the original resource (e.g., one that does not discloseall of the information in the original resource). For example, if theoriginal resource were a list of “name-birthdate-height” triplets, anexample of a computation would be any suitable way of instructing arendering application to display only a list of “birthdate-height” pairs(i.e., to omit the “name” data from the display). Another example of acomputation would be a set of instructions that would operate on theoriginal data set to generate the median height and the average heightfor display.

Computations may be specified in a variety of ways, examples of whichinclude, without limitation, some or all of the following:

-   -   They may be associated at the time of packaging by the original        packager (the entity that first encrypts the resource).    -   They may be produced after packaging, and securely associated        with the resource. These post facto computations can be created        by the packager of the data or, in some embodiments, by a third        party who would like a computation to run over a protected        resource.

In some embodiments, a resource may be protected without any associatedcomputations. In some embodiments, the DRM system could be designed toaccess derived resources (e.g., resources packaged and/or otherwiseidentified as such) only in accordance with their associatedcomputations. In such embodiments, if there were no computationsassociated with a resource, access would effectively be prevented. Inother embodiments, a resource could, by default, be accessible unlessprohibited by associated rules. In such embodiments, if there were nocomputations associated with the a resource, the resource would beaccessible (in accordance with any associated rules) unless a ruleassociated with the resource required possession of one or morecomputations in order to authorize access to the resource.

Derived resources are particularly useful in cases in which access tothe resource should depend upon factors such as, for example, theprincipal that will perform the action, environmental considerations atthe point of rules evaluation (e.g. computational capabilities), statevariables managed by the DRM system (e.g. the status of a payment), theamount of information that has already been revealed about the resource,and/or the like. In these cases, the objective is typically to provideaccess to a derivative of the original resource, possibly based oncontext at the point of evaluation.

Derived resources can have several properties that make themparticularly useful in comparison to static resources. Such propertiesmay include some or all of the following:

Late Binding

The precise view required of a raw resource need not be computed inadvance; the packager can associate a computation that produces thederived resource. If a new type of computed resource becomes important,the packager of the data can simply provide a new set of rules andcomputations rather than re-computing, repackaging, and retransmittingthe entire original resource (which may be a large data set).

For example, suppose that the original resource is a human genomesequence. The resource can be encrypted and packaged with severalcomputations that reveal certain limited information about the genome—isthe subject male or female? Does the subject have a certain mutation inthe BRCA2 gene? etc. At a later date, the owner of the data determinesthat it is important to provide access to a new aspect of the sequence,such as the number of copies of the CCL3 gene, which is related to therisk of HIV. The packager creates a new computation, associates it withthe original resource, and distributes it to interested parties. It isnot necessary for the packager to either know about this computation inadvance, or to provide unlimited access to the data.

Third Party Computations

Computations can be proposed by users of the packaged information andthen securely associated with the resource by, e.g., the originalpackager and/or another entity with the right to do so.

Continuing with the human genome sequence example, suppose the sequenceis encrypted and sent to a researcher who wishes to incorporateinformation about the sequence into his study. As part of the originalpackage, the researcher receives a set of computations that providevarious views of the data. The researcher has discovered a new algorithmthat combines information from several genes in order to estimate therisk of a particular disease, but he cannot obtain all of theinformation he needs using the computations that have been provided bythe owner of the data. The researcher creates a computation that, whenrun against the sequence, will produce his estimate. He sends thiscomputation to the owner. Assuming that the owner agrees, the newcomputation is securely associated with the resource and sent back tothe researcher in a form that allows him to run the computation againstthe sequence.

A similar example would be a computation created by a pharmaceuticalcompany to estimate the appropriate dosing of a particular drug byanalyzing the genome sequence. This type of dosing sensitivity analysisis often carried out for prescribing the anti-coagulant, warfarin.Patients with particular variants in the CYP2C9 and VKORC1 genes may bemore or less sensitive to this drug. With a derived resource, it ispossible to run this sensitivity test on a genome sequence that has beenpreviously stored and protected (e.g. at birth) without additionalwet-lab work.

Composition of Computations

When determining that a third-party computation ought to be bound to aresource, the packager may wish to allow the computation to proceed, butadd his own pre- or post-conditions to the flow of computation thatproduces the derived resource.

For example, suppose that the governed resource is the map of a given(large) region, along with address information. A third party proposes acomputation that, given an address, returns the spatial coordinatesassociated with the address. The packager may be willing to accept thiscomputation, in general, but he does not wish to disclose the exactcoordinates. Instead, he would prefer that the computation return onlythe city, or neighborhood, etc. The owner/packager then creates a secondcomputation that consumes the output of the computation proposed by thethird party and modifies it to obscure the more detailed information.When he binds the third-party computation to the resource, he requiresthat his own second computation be applied before the output can bereturned to the requester.

In some embodiments, a computation could be associated with a resourcethat formulates and sends an audit record containing information aboutwhen, by whom, and in what circumstances the resource was derived.

FIG. 1A shows an example system 150 for governing a digital resource 152in accordance with some embodiments. As shown in FIG. 1A, the digitalresource 152 (e.g., scientific research data, healthcare records,genetic information, media content, and/or the like) is packagedtogether with a set of computation(s) 154 and rule(s) 156 by a firstentity 151 (e.g., an owner or distributor of the digital resource 152,or an entity acting on behalf thereof). For example, the resource 152may be encrypted, digitally signed, and/or otherwise protected, andsecurely associated with the computation(s) 154 and rule(s) 156.Resource 152 may be distributed together with computation(s) 154 and/orrule(s) 156 to a remote entity 158 via any suitable communicationsmedium (e.g., a computer network such as the Internet, a mobilecommunications network, etc.). Alternatively, or in addition, resource152 may be distributed to a remote entity 160 independently ofcomputation(s) 154 and/or rule(s) 156. Another entity 162 may proposeadditional computations 166 pertaining to resource 152 to the firstentity 151. The first entity may securely associate computations 166with resource 152 (e.g., in the form proposed by entity 162, or inmodified form, or with additional pre- or post-computations required tobe performed with computations 166, or the like), and distribute (ormake available for distribution) such computations 166′ for use inconnection with resource 152.

Privacy-Preserving Computations

As in the examples described above, derived resources can be used tohelp preserve the privacy of the original data. In some embodiments,several factors may help to determine the types of computations that maybe bound to a resource. For example, the known history of thecomputations that have been bound to the resource may be analyzed toensure that only a desired amount of disclosure occurs. For example, thepackager may have issued computations that, when used together, mightotherwise reveal more information than intended. Therefore, for example,the packager may decide to progressively decrease the resolution of thedata revealed by successive computations. For this purpose, the packagermay also wish to take into account audit records that were required uponexecution of various computations on the resource.

In some embodiments, computations can be randomized at least in part toprotect privacy/secrecy of the data. For example, a computation can beanonymized by adding random noise to the resource before output.Although an adversary may perform the computation multiple times andevaluate the statistics (e.g. the average value) of the derivedresources returned, in some embodiments the packager can mitigateagainst this attack by, for example, limiting the number of suchrequests, changing the statistics as more and more requests are made,remembering a state variable (such as a random number seed) so that thesame principal gets the same randomized data upon each application ofthe computation (thereby preventing the statistical attack), and/or thelike.

Different Views for Different Principals

In some embodiments, computations may depend on conditions such as theprincipal accessing the information. In such embodiments, differentstakeholders in the packaged resource may obtain different views;different computations may be associated with different principals. Thiscapability interacts with the ability to specify particular principalsin the rules to gate overall access to the resource; that set of rulescan dictate whether a given principal has the opportunity to access theresource at all, and so it determines whether a derived resource is evercomputed. If it does run, however, the computation may decide to producea different derivation depending on the principal making the request, orattributes of the principal (e.g. membership in a given class).

Using this technique, for example, one could construct a protectedhealth record that can be accessed by all doctors in a hospital, butwhich includes additional detail when accessed by a patient's primaryphysician. The derived resources approach allows the governed resourceto remain a single package as opposed to requiring multiple packages fordifferent principals.

Different Views in Different Contexts

Just as, in some embodiments, the view of a resource may depend on theprincipal requesting access to the resource, so may the view depend uponother contextual information that exists at the point where thecomputation is performed.

For example, the set of rules governing a piece of content might allowaccess to any device that is registered to a given user, but thecomputations may output the resource at a given resolution for aparticular type of device. Or, only a specific excerpt may be shown on aparticular type of device, whereas the full resolution is available onother device types.

Preserving Data Fidelity

Although a number of examples have been given in which, e.g., topreserve privacy, the accuracy or fidelity of the data presented to auser is reduced, it will be appreciated that in some embodiments thecomputations that produce derived resources are not necessarily lossy;that is, they need not remove any of the original information in theprocess of producing the derived resources. Using derived resources, theoriginal data need not be repeatedly filtered and repackaged, so noinformation is lost that may be of use in the future.

For example, suppose that the resource is a series of activity levels(as recorded by an accelerometer) for a given patient. In general, aphysical therapist might only be interested in the average dailyactivity level, so the resource may come with a set of computations thatproduce these averages. One approach to providing those averages wouldbe to take the original resource, perform the averages, and then protectthe sequence of averages as a separate resource. However, this approachdoes not provide the ability to go back into the high-resolution data todetermine, for example, the intensity of a given exercise session. If,instead, the averages are performed in accordance with a preferredembodiment of the derived resource approach, new computations canprovide information that could not have been obtained from the filtered,repackaged activity data, since the original, raw data would still beavailable for use by such new computations.

Auditability

In some embodiments, the computations performed as a condition forrendering can be expressed for a standardized machine so that theoriginal packager of the resource can validate and rely upon the resultsof specified computations, or they can be expressed declaratively usingpreviously agreed semantics.

In some embodiments, when a packager associates a computation with aresource, the computation is first validated (especially if it wasgenerated by a third party). In general, automatic validation of thefunctionality of a computation is difficult, and the more expressive thecomputational framework, the more difficult. Therefore packagers mayrely upon various heuristic methods, such as inspecting the metadatathat describe the computation, running the computation in a testenvironment before approving it, verifying that the proposed computationwas signed by a trusted third party, authenticating the identity of theproposer, and/or the like. A uniform computational framework—e.g. aspecific language in which the computations are expressed—helpspackagers to validate proposed computations.

Computations Governing Multiple Sub-Resources

One type of resource that may be governed with the derived resourcesapproach may be an entire database of sub-resources, with the databaseprotected by one or more keys. In this formulation, running computationsagainst the resource is similar to querying the database. The packagermay restrict the kinds of queries that may be performed on the resourceby constraining the computations.

For example, suppose that the governed resource is a set of full geneticsequences and health records of a particular population. Associatedcomputations allow users to query the resource to determine, forexample, how many of the females in the population express the BRCA1gene. Or how many females between the ages of 18 and 45 code for thisgene. In this example, the combination of the data resource and thecomputations that operate on it allows users to explore the data. Inthis example, the types of computations that may be performed on thedata set might be defined by the original packager; the packager may addfurther computations as necessary in the future. For example, if acertain correlation is postulated, the packager may provide a set ofcomputations that allow other users to explore that correlation in theoriginal data set. With static resources, the data would have beenreduced before packaging, and information would be lost. With derivedresources, the full data set can be preserved, with additional accessgiven in the future as needed.

Delegation of Computational Binding

In some embodiments, the originator or creator of a resource is notnecessarily required to perform all binding between the resource andcomputations. For example, the originator may delegate the binding ofcomputations to a third party, such as a database designed to manage aset of resources as a single logical resource.

For example, a genetic sequencing machine may establish a trustedchannel with an online server and upload sequence information to it,delegating to the service the ability to determine which kinds ofcomputations may be run on the sequence in the future.

Returning a Derived Resource

In some embodiments, a derived resource may be returned as a result of arunning a computation on another derived resource.

For example, an original resource might comprise a governed set ofsub-resources. When an associated computation is performed on theresource to extract information about a particular sub-resource, thatcomputation may result in the production of a second derived resourcecomprising the sub-resource and a set of computations for interrogatingthat sub-resource.

Location of the Computation

In a preferred embodiment, computations associated with a governedresource are performed in a protected processing environment. In someembodiments there is no logical restriction on the location of thisprotected processing environment. In some embodiments, theowner/packager of the resource sends a virtual secure package out intothe world for various consuming entities to process; the computations(as well as rules evaluation) happen in protected processingenvironments at the consumer sites. An example of such a scenario isshown in FIG. 1B, which shows an illustrative system that governsderived resources in accordance with one embodiment of the inventivebody of work. As shown in FIG. 1B, a virtual secure package 102 includesrules 104, computations 106, keys 108, and an original resource 110. Thevirtual secure package 102 is processed in accordance with its rules bya secure computing environment 112 to yield a derived resource 114. Thedashed line around the virtual secure package 102 shown in FIG. 1B ismeant to indicate that the four subcomponents shown (104, 106, 108, and110) may be distributed together or separately, but are persistentlyassociated with one another using, e.g., cryptographic techniques. Thecontext information 116 shown in FIG. 1B may include, for example,information from the environment in which the resource derivation isbeing performed, which may include, for example, information gatheredfrom the user of the system. The intent information 118 shown in FIG. 1Bmay, for example, specify the use that the user wishes to make of thedata, and can be used to determine, at least in part, which rules 104and computations 106 should be evaluated.

It will be appreciated that FIG. 1B is presented for purposes ofillustration, and that there are many other viable possibilities. Forexample, the owner/packager of the resource may perform some or all ofthe computations in its own protected processing environment, and returnresults to a requester, e.g., based on certain attributes of therequester, such as an authenticated identity. Alternatively (or inaddition), the computations on a resource may be performed by a delegateto whom the resource originator has delegated authority to attach orperform these computations.

Computing Against a Remote Resource

By combining the third-party computation technique described above withthe techniques described regarding location of computation, it becomespossible to propose a computation to run against a remote resource. Inone such embodiment, the owner of the resource could determine thenecessary steps for authenticating and validating the proposedcomputation, and then perform the computation against his own resource,returning the result to the requester. One example of such aconfiguration is illustrated in FIG. 2.

In some embodiments, the logical binding between a computation and theresource may happen in one or more ways, including, for example:

By Name—the computation comes with metadata that specifies theresource(s) on which it is to be run.

By Attribute—the computation is sent along with a set of attributes thatmust be true of the resource to be operated on. For example, therequester may send a query string that the recipient uses to determinethe set of resources over which the computation should be run.

FIG. 2 shows an example of how a computation can be proposed to runagainst a resource. A user 202 makes a request concerning a resource andis authenticated by authenticator A 204. A secure package 206 includingthe computation 208 is sent to the evaluator system 210, where it isverified and authenticated by the evaluator 210 and run against resourceR 212 with policy P 214. The results 216 are returned back to the user202, possibly through a series of intermediaries.

It will be appreciated that the systems and methods described herein canbe applied to virtually any type of content, some non-limiting examplesof which are included below.

Examples of Derived Resources

Scalable Video—In some embodiments, the SVC (“Scalable Video Coding”)media example described above—in which access to varying levels ofpre-computed resolution are granted based on the amount paid—can bereplaced by a combination of a single, high-resolution video resourceand a set of computations, each of which is governed by a rule of itsown. For example, a user might have access to a low-resolution versionof the video provided that certain conditions are met and that theresource is first filtered by a specified computation. Each level ofresolution could be associated with a specific computation that producesthe appropriate signal for rendering.

Filtered Health Data—In some embodiments, given a data series thatconsists of a sequence of health-related measurements (e.g., pulse ratemeasured every second for the last few months), different principals maybe given access to different data resolutions. The patient himself mighthave access to the entire data series in full resolution, while hisdoctor may have access to a coarser view—the average resting and activepulse for the trailing two weeks. The doctor in this case may still haveaccess to personally identifiable information, whereas a completelyunrelated third party (such as an epidemiologist or researcher) may haveaccess only to fully or partially anonymized data. The computations thatperform the de-resolution of the data can be packaged along with theoriginal data resource. In this case, the rules governing access to thedata series could be associated with different principals or roles.

Virtual Worlds—In some embodiments, the original resource could be agame that consists of a description of a virtual space, encoded inenough detail that a sufficiently powerful rendering engine can producea three-dimensional, interactive model of the space. For example, onearea of the virtual space might be available only to users that haveachieved a certain level in the game. The rules governing the resourceperform the computations of the views, or computations that areessential for producing the views.

Universal Decoding—In some embodiments, the original resource mightconsist of an interactive audiovisual presentation encoded in aparticular proprietary format. The computation associated with renderingthe resource could contain a full decoder for the data that decodes theoriginal resource in a way that allows it to be rendered on the targetplatform.

Governance of Genetic Information—In some embodiments, the governedresource could be, e.g., a set of full genetic sequences and healthmetrics of a particular population, e.g., as described above.

Scientific Research—In scientific research it is often important to makedata maximally available and verifiable while still ensuring that it isprotected. Reputable scientific publications would typically like toensure that the data driving the conclusions in published research isavailable to other scientists so that it may be verified. The algorithmsused to process that data should also be available for peer review. Atthe same time, the data should not be susceptible to tampering. Thus, insome embodiments the data can be published in a protected form, with arule specifying particular computations that may be performed on thedata set. This arrangement simultaneously meets the needs ofopenness/publication and integrity protection.

Negotiating Advertising Load—In another example, a media (e.g., video oraudio) stream might be partially funded by advertising. In this example,the resource might comprise a main program and a set of advertisementsthat may be inserted into the main program stream at certain positions.The derived resource returned when the resource is accessed may, forexample, include a certain number of these advertisements based on,e.g., the principal requesting the content resource, attributes of thatprincipal, and/or context at the point of rendering. For example, if theprincipal has already viewed a given set of advertisements in a givenprogram, the computation may substitute in an alternate set. If theviewer has paid for a subscription, the computation may eliminate theadvertisements altogether.

Negotiating Coupon Value—Another example is a variant on the advertisingexample described above; however, the resource returned in this exampleis not a media stream, but a digital coupon. The face value of thecoupon can be determined by the interactions between the computation andthe user. The user gets a better redemption value on the coupon if theuser is willing to watch an advertisement that is included as part ofthe original resource.

As previously indicated in connection with FIG. 1B, in some embodiments,the elements of a virtual secure package 102 are bound together. Asshown in FIG. 1B, these elements might include the original resource110, one or more keys 108 that are used to encrypt and/or decrypt theresource, a set of one or more computations 106 that produce derivedresources based on the original, and a set of one or more rules 104 thatgovern access to the original and/or derived resources.

In some embodiments, the binding may comprise packaging these elementstogether in a single package, but it may also comprise applyingcryptographic (or other computational) techniques to associate theseelements even when they are distributed separately. A number of factorsmay be used by the packager to determine whether computations should bebound to a resource. These may include, for example, authentication ofthe party that created the computation, attributes of that party (e.g.membership in a trusted group), inspection of metadata associated withthe computation, results of running the computation in a testenvironment, etc.

In some embodiments, the computations may be bound with differentstrengths, as described below.

Strong Binding

In a strong binding example, computations, rules, resources, and keysare cryptographically bound together into a virtual secure package. Onemechanism that may be used to bind a computation to a resource is toinclude the computation in the same package as the rules that gateoverall access to the resource. The user may choose which of these rulesto evaluate, and if the conditions are met, the associated computationsare applied to the resource before it is returned. It will beappreciated that any suitable mechanism can be used to bind rules to aresource. For example, in some embodiments, the binding techniquesdescribed in commonly assigned, co-pending U.S. patent application Ser.No. 11/583,693 (Publication No. 2007/0180519 A1), filed Oct. 18, 2006(“the '693 application”) may be used.

In some embodiments, binding can be accomplished using a separatebinding object that securely associates a computation with a resource.That binding object may contain some information that uniquelyidentifies the resource being bound, such as, for example, a hash of theresource, the resource ID, a reference to the key that encrypts theresource, and/or the like. The binding object may also contain eitherthe computation itself, or a reference to the computation, such as ahash of the computational program, a unique identifier, etc. The bindingobject may itself be signed to provide for integrity protection of thebinding and to authenticate the party that created the binding at thepoint of evaluation.

Using this approach, the computations may travel separately from therules, the resource, and the keys, but remain logically within thesecure virtual package. In some embodiments, computations may be chained(composed) through the use of binding objects that point to otherbinding objects to be used as pre- or post-computations. Also, with thebinding object approach, it is not necessary to create the associationsbetween resources and computations a priori—computations can be bound ata later time, and in some embodiments they can be proposed by otherparties.

Weak Binding

In some embodiments, a relatively weak binding can be used instead,e.g., based on identifying a computation by name or attribute ratherthan using cryptography.

As shown in FIG. 1B, in a preferred embodiment a secure computingenvironment is used to evaluate rules and apply computations on theoriginal resource. In some embodiments, the secure computing environmenthas some or all of the following properties:

-   -   It validates the source of the elements in the secure package as        trustworthy in some embodiments it has the ability to        discriminate between virtual secure packages that are from known        or trusted sources and those that are not, and, in the latter        case, the secure computing environment is able to avoid        evaluating rules or performing resource derivations.    -   It prevents tampering or interferences with the evaluation of        rules or resource derivation computations at the point of access        to the content.    -   It protects the keys used to encrypt the content from        unauthorized access.

In some embodiments, a well-defined computational engine is used toproduce the derived resources. Embodiments of this computation enginecan be designed depending on the manner in which the computations areexpressed. For example:

Declarative computations—Computations may be expressed declaratively,using documents written in a special-purpose language that indicate thecomputations that need to be performed upon the original resource butnot giving guidance as to how these computations are to be effected. Insuch cases, the computation engine should understand the semantics ofthe special-purpose language with which the computations are specifiedso that the original creator of the virtual secure package can beassured that the computations are performed in an expected manner. Thepackagers and users will typically agree on the declarative language inadvance.

Procedural computations—Computations may also be expressed as programswritten for a standardized machine. In particular, the system design mayspecify a virtual machine language in which these computations areexpressed. Because the original creator of the computations knows thespecification for the standardized machine, he can create proceduralcomputations with a full understanding of its operation, without beingrequired to specify in advance the high-level semantics of thecomputations being performed.

In some embodiments an optional protected database may also be used,e.g., at the point of rules evaluation, to store state variables thatare used as inputs to, or to otherwise affect, the computations.

Examples

Some additional examples of the implementation and use of derivedresources in accordance with embodiments of the inventive body of workare presented below. Although many of the examples relate to biology andepidemiology, it will be appreciated that the inventive body of work isnot limited to these fields.

Preserving Privacy in Large Surveys

In this example a national survey is trying to determine the linkbetween a certain type of illness, profession, and home address. Thepurpose of the survey is to produce a map with high medium and low riskfor different types of the illness. The map is incorporated in a zoomingsystem so the viewer of the map can zoom from a global view to a localview. A query interface allows the viewer to ask for display ofdifferent types of conditions and professions.

The survey combines the results from many different databases in asecure environment and packages the result as a governed derivedresource.

In this example, the rules for querying the results inside the governedderived resource might be as follows:

-   -   When the result of the query is over a large area, the results        will be specific, for instance, the number of teachers with the        illness in a particular state will be reported to an accuracy on        the order of 10 if there are more than 100 results returned. If        there are less than 100 results returned the reported value will        be a random value with a normal around 50 and a deviation of 10.    -   For progressively smaller areas, the accuracy of the results        will degrade so that you can never get better accuracy than on        the order of 30 results.    -   Random results will be inserted into the return values to make        certain that individuals can't be identified by narrowing the        selection in the survey; however, if the requester can provide        credentials that identifies him or her as a licensed physician        in the state where the data view is requested, all results are        accurate down to an order of two.

The resulting governed derived resource can be downloaded from thesurvey center and viewed on any computer with a secure computingenvironment.

This allows the casual observer to view the effects, if any, betweenlocation and diagnosed cases of the illness, without being able toidentify the actual individuals with the condition. Licensed physiciansin the state can get a much more accurate view.

To implement this example, the person performing the survey might querya number of databases for relevant data and creates a new database fromthese results. The database could be implemented as a file. Twodifferent sets of accessor functions to the database could beimplemented as computer programs. The programs could reside in programfiles stored in memory of a computer system.

The program pertaining to the licensed physicians could be encryptedwith the public keys of the recognized state certifying boards. One wayto do this is to create a symmetric key, encrypt the program with thiskey, then encrypt the symmetric key with the public keys of the statecertifying boards.

The database file, the accessor program files pertaining to the public,and the encrypted program pertaining to licensed physicians could all bepackaged into a transport file. This file could be encrypted with thepublic keys of the common secure computing environment providers anddistributed to anyone who wants to view the survey.

When a user wants to view the survey via a viewer, he or she firstpresents credentials. The credentials can either be the standardcredentials that come with the secure computing environment, orcredentials from an authority that, e.g., can assert that the user is aqualified licensed physician.

At a later time, after the survey has been published, a doctor notices aconnection between a specific gene ABC1, an environmental factor, and aspecific diagnosis of the illness. He writes to the authors of thesurvey and asks for permission to perform high resolution studies, usinghis state board issued general practitioner credentials to perform highresolution correlations between his data and the survey data. Heprovides the calculations he wants to perform as computer programs in afile. Along with the computer programs, he also sends his owncredentials.

The stakeholders in the survey inspect the computer programs and thedoctor's credentials. They send back a package of instructions to beloaded together with the governed derived resource, and a signedassertion that the doctor is allowed to view high resolution data.

The doctor then loads the original governed derived resource togetherwith the new instruction package, and his signed credentials. In thesecure environment the new instructions are recognized as being from thesurvey stakeholders. The signed credentials are also recognized. Thegoverned derived resource now incorporates the new instructions intoitself. This produces a governed derived resource that acts as the oldgoverned derived resource in all cases except when it operates in thecontext of the doctor's credentials, running against his specialcomputations.

Personalized Healthcare

Susan uses an online service to track her exercise regimen. The servicemaintains a personal health record and stores information gathered fromvarious biometric sensors that Susan uses to track her health, includinga weight scale and a multi-function fitness watch that records (once persecond) Susan's activity level, location, heart rate, pulse oximetry,and galvanic skin response (GSR).

Susan uploads the data from her watch to her PC (e.g., using Bluetooth,BluetoothLE, ANT+, 6LowPAN, a USB connection, a small, low-power radiobase station attached to her computer, and/or the like), whichautomatically uploads the data over the Internet into a service. Uploadshappens over a secure channel using standard technology such as theHTTPS protocol.

Through the service, Susan locates a personal trainer to help herfine-tune her routine. After establishing a relationship with thetrainer through the service, the trainer generates a request for accessto Susan's data—every Sunday evening, the trainer would like to receivea list of each of Susan's workouts during the week, and, for eachworkout, statistics like (a) the start and end times of the workout, (b)the distance traveled during the workout, (c) the starting heart rate,peak heart rate, and the length of time during which Susan was within 5%of the peak heart rate, and (d) the galvanic skin response (GSR) at peakheart rate.

The service provides the trainer a user interface through which to makethis request and send it to Susan. The request for data contains ahuman-readable description of the data to be collected each week. Susanreceives the request and approves it, but attaches an additionalcondition that only data collected between 7 am and 7 pm can be viewed.

Each Sunday evening, the service collects all of the data that Susan hasgenerated during the preceding week and packages it as a single resourceto be sent to her personal trainer for review.

The service collects all of the data for the week—in its raw format—intoa single bundle and encrypts the bundle with a unique symmetric key,generated by the service.

The service generates a rule that allows the trainer access to thisdata. This rule may be based, for example, on some digitalrepresentation of the relationship between Susan and the trainer that isevaluated when the data package is accessed by the trainer.

Further, the service generates a set of computations to associate withthe data package that compute, for each workout, the elements that thetrainer has requested. These computations are written to run on avirtual machine embedded in client software that the trainer uses toreview the data.

The service creates a license object that cryptographically linkstogether the data package, the rules, and the computations. To provideone example instantiation, the license object may contain some or all ofthe following subcomponents:

-   -   A data structure that binds the data package to an identifier,        which contains the identifier and a cryptographic hash of the        data itself,    -   A data structure that binds the symmetric encryption key used to        encrypt the data package to a key identifier, containing the key        identifier and the actual key,    -   A series of data structures, one for each rule, that bind the        rules to their respective identifiers by packaging the rule        identifiers together with cryptographic hashes of the byte codes        of the executable rules,    -   A series of data structures, one for each computation, that bind        the computations to their respective identifiers by packaging        the computation identifiers together with cryptographic hashes        of the byte codes of the executable computations,    -   A data structure containing the identifier of the data package        and the identifier of the key used to encrypt the data,    -   A data structure containing the identifier of the data package        and the identifier of the rule set to be used to govern access        to the data package,    -   A data structure containing the identifier of the data package        and the identifiers of the associated computations that will        produce views of the information in the data package,    -   The set of rules, in byte code format, to be executed by a        virtual machine by the receiver,    -   The set of computations, in byte code format, to be executed by        a virtual machine by the receiver, and/or    -   Metadata that is used to establish what the data in the package        represents (e.g. that it was Susan's data, the week during which        it was collected, etc.).

The personal trainer uses a software package that allows him to explorethe data for all of his clients. This software is built using a softwaredevelopment kit (SDK) that implements a secure execution environment foraccessing the data. On Monday morning, the trainer opens and starts thesoftware package, which connects to the service and downloads any newinformation that he may have received from his clients.

To review Susan's data, the trainer clicks on Susan's name in a userinterface presented by the software. The software may do several thingsin its secure processing environment, including some or all of thefollowing, for example:

-   -   Uses metadata in the various license objects it knows about to        identify Susan's data packages (this information may be indexed        in some local database),    -   Opens the latest week's license object and uses the data        structures linking the data package to the rule set to find and        load the rules associated with the data package,    -   Executes the byte codes that instantiate the rules and makes a        decision as to whether to continue processing based upon whether        the conditions expressed in the rules are met,    -   Assuming the rules have been successfully evaluated, uses the        data structure binding the data package to the encryption key to        obtain the key and decrypt the data,    -   Uses the data structures binding the data package to its        computations to load and execute the computations, which produce        several views of the data package, one for each computation,    -   Makes the results of these computations available to the user        interface portions of the software package for display,    -   Sends an audit record back to the online service, which Susan        can check periodically to determine how her data is being used.

The trainer sees the results of these computations in his userinterface. Note that the underlying data from which these results werederived was not exposed to the trainer, so that, for example, thetrainer cannot learn where the workouts occurred, even though thatinformation is contained in the raw data uploaded by Susan and sent tothe trainer in the data package.

After evaluating Susan's data for several weeks, the personal trainerwants to encourage Susan to increase her stamina by doing her workoutson more varied terrain. In order to assess the effectiveness of thisregimen, the trainer would like to have information about where Susan isexercising so that he can plot it on a map of the area and determinewhether she is going uphill, on a relatively flat area, etc. He wishesto receive this data along with detailed heart rate data so that he cancorrelate heart rate against location. The trainer uses an interfaceprovided by the online service to request this additional informationfrom Susan.

Susan receives the request, but does not feel comfortable giving thetrainer access to detailed location information. After all, she hasnever met the trainer in person and is somewhat cautious about givingout such information. However, she does understand the trainer's reasonsfor asking for this data, and wishes to support his analysis, so ratherthan accepting the trainer's request, Susan herself uses an interface atthe online service to create a computation that allows access to thealtitude data, but not latitude and longitude.

The service interface presents a structured browser for differentcomputations that are available in a template library. The browserpresents computations pertaining to different types of data, such as‘Location’, ‘Fitness’, etc.

Susan browses to the ‘Location’ area and notices that severalcomputations are available to her: ‘Full location information’,‘Latitude/Longitude’, ‘Altitude’.

Susan selects ‘Altitude’, and the interface then allows her to selectthe data resolution for the computation, both temporally and spatially.For example, Susan may select ‘Every 30 seconds’ or ‘5 minute trailingaverage’ for temporal resolution and ‘Full resolution’ or ‘Randomizedwithin +/−10 m’ for spatial resolution.

Using a similar procedure, Susan selects a computation that providesheart rate data on 30-second intervals.

Once Susan has selected the computations she wishes to apply, she usesan additional interface to authorize the personal trainer to obtain thiscomputation. From then on (or until Susan revokes the authorization)this computation will be included as part of the weekly report sent tothe trainer.

The trainer begins receiving the altitude and detailed heart rate data,which he uses to assess the effectiveness of Susan's workout and providefeedback. After evaluating one week's worth of data, he finds this newinformation useful and makes a request for similar information onSusan's past data, which Susan authorizes. As a result, the trainerreceives new license objects from the online service that provide thealtitude/heart rate computations on data packages that he has alreadyreceived and stored; the service does not need to retransmit the datapackages themselves, only the new license objects.

After a couple of months on the new regimen, it appears that Susan'scardiovascular efficiency is not improving in the expected manner. Herworkouts move in fits and starts, with frequent rests in the middle. Thetrainer, who works for an organization with doctors specializing insports medicine on staff, would like to get some input from a staffphysician, who works from a different location. Through the service, thetrainer asks Susan if that would be acceptable, and she agrees. Thetrainer forwards the last month's worth of Susan's data directly to thephysician. The data packages and licenses are included.

The physician attempts to open the data to run the computations, and(since he is not yet authorized to access the data at all) is promptedby his software to request authorization from Susan. He does so, and anauthorization request is sent to Susan, who approves it.

After analyzing the data, the physician beings to suspect a problem withpoor oxygenation, and, through the online service, requests additionalaccess to Susan's pulse oximetry data, which Susan approves for thephysician. Note that the trainer does not have access to the same data;the service has created separate computations for the pulse oximetrydata for the physician and sent licenses containing those computationsto the physician only.

The physician draws some conclusions from the data and provides hisrecommendations back to the trainer, who modifies Susan's regimen toreflect the physician's input. Her cardiovascular performance begins toimprove.

At some later time, in reviewing the use of her data in the service andthe active authorizations, Susan realizes that the physician still hasaccess to her information and chooses to disable this access, since theconsultation has completed. The licenses that were issued to thephysician are marked as invalid, the physician's software is notified ofthis fact, and no future licenses are created or sent to the physicianunder this authorization. In other embodiments, the license might expireautomatically after a specified period of time.

Video Download Service

Ian subscribes to an online movie service that gives him unlimitedaccess to a broad variety of movies for all of his various renderingdevices.

The service is designed for download and persistent storage of theprograms, as opposed to a more streaming-oriented model. Streaming maybe emulated by progressive download of the video, but even in thismodel, a license is obtained first, and the rules evaluated, before theprogressively-downloaded stream is rendered.

The service offers a number of subscription tiers, including astandard-definition free tier, supported by advertising. This is Ian'soption, initially. Other options (on a fee schedule) include astandard-definition offering with no ads, and a high-definitionoffering.

The service is designed to provide high definition video files to allcustomers over a peer-to-peer distribution network. The logistics ofdistributing multiple versions and resolutions of each movie were deemedto be too complex, so every customer receives exactly the samehigh-definition video file, regardless of their subscription tier.

The video files are distributed separately from licenses. When acustomer requests a license, the license contains computations thatderive the particular customer's view of the data, providing to therendering system exactly the video stream that the customer is entitledto view.

In the case of the free, ad-supported standard definition tier, threecomputations are contained in each license: (i) a computation thatextracts a standard-definition stream from the packaged video (ii) acomputation that periodically downloads advertising files from an adserver and inserts them into the output stream, falling back to somedefault ads if the ad server is not reachable (iii) a computation thatsends an audit record of the ad impression back to the ad server.

These computations are bound to the video files much as described in theprevious example.

These computations are performed in the client software by a securecomputing environment that evaluates the licenses, decrypts the content,and applies output computations to the content before returning it tothe client's native rendering engine.

When a customer subscribes to a premium tier—which costs money—therequirement to apply one or both of these output computations beforerendering is removed.

The service is designed to maximize ad revenue by allowing customers tofreely distribute the protected content. If the recipient of theprotected content is a paid subscriber, he may transparently obtainlicenses to render the content at the resolution he has paid for. If therecipient is not a subscriber, he cannot render the video at all untilhe installs the client software. Directly distributed videos are bundledwith a default license that lets the recipient view the standarddefinition video with ads.

Ian downloads a movie onto his tablet before going on a business trip.He likes the movie so much that he wants to give a copy to his friendJim. He simply copies the movie file (which contains the packaged videocontent and the default license) onto Jim's system, and Jim is able towatch the movie.

After enjoying the movie, Jim decides to pay for a subscription to theservice. Once he does so, he obtains licenses for the content he hasthat allow for rendering without advertisements. These licenses aredownloaded very quickly, and the upgrade takes effect instantly, withouthaving to re-download the relatively large video files.

In an attempt to be more family-friendly, the movie service enters intoa partnership with an organization called ‘Movies4Families’. Thisorganization reviews all of the films offered by the service anddetermines which scenes may be inappropriate for younger viewers,categorizing them by type (e.g. mild violence, swearing, nudity,innuendo, etc.).

For each such scene, the organization creates computations that modifythe output stream to eliminate the objectionable scenes, blank thescreen for two seconds, bleep the audio, splice in an alternatestoryline, or take whatever other measure is required to make the moviemore family friendly.

These computations depend upon the user settings. For example, if aparent configures their child's client for a 10 year old, then certaindefault computations may be applied that differ from the computationsthat would apply for a 15 year old.

The parental controls may contain the ability to fine-tune the filteringas well.

Ian signs up for the Movies4Families service. As a result, for everymovie he downloads from the main video service, his client will alsopull computations from the Movies4Families service that apply theappropriate filters. When movies are rendered on his young son's device,the filters ensure that he is not seeing the inappropriate sections.

Technically, the computations created by Movies4Families are bound tothe movies they govern in the same way that the video service boundthem—by creating an object that binds together the identifier for thevideo and the identifier for the computation.

In this example, suppose that the video client used in the movie servicewill only trust licenses and computations that are digitally signed byan entity holding a certified key, where the certified key was issued bythe movie service itself. In this case, the movie service has issued toMovies4Families a certified key that allows them to digitally sign theobjects that associate the movie and the filtering computations.

Movies4Families sends to clients the computation itself and the bindingbetween the computation and the movie, all digitally signed with the keythat derives from the video service. As such, the video clientrecognizes the signature, and will apply the requested computations atthe time of rendering.

The function of the filter depends upon settings in the client. Forexample, Ian and his young son may both watch the same movie using theirrespective clients, but because the son's client has been configured fora 10 year old, his stream may be heavily filtered, whereas Ian sees theoriginal unfiltered film. This example shows how state variablesmaintained at the client side may impact the computations performed.

Digital Remixing and Mashups

John is a musician who has created a seminal funk track and distributedit digitally with a license that does not allow copying.

Malcolm is a DJ that wishes to make (and sell) a digital mashupincorporating a 4 second sample of John's original track, mixed in withseveral other audio tracks.

Using digital mixing software, Malcolm creates a computation thatextracts the relevant 4 seconds from John's track, filters it through aflanger, and puts it into his mix at the appropriate points.

Malcolm sends this computation to John, who approves of this particularuse so long as he is paid a half a cent per play. He signs thecomputation, binding it to his original track, and adds a post conditionthat sends him an audit record each time the excerpt is played, allowinghim to track the usage for billing.

Malcolm packages his own mashup, including John's original track and thecomputation that extracts and filters the 4 second sample. On rendering,John's computation is applied at the appropriate points and Johneventually gets paid for the use of his original sample.

Genetics

Elizabeth enrolled in a clinical trial that required that she have hergenome sequenced. The trial was to investigate the relationship betweencertain genotypes and optimal dosing for an anti-cancer medication.

Elizabeth was first required to set up an account at a geneticinformation service that was to store and manage access to her genome.Once she had registered this account, the service generated a randomsample number (and barcode), which she printed out and took to thesequencing lab.

Elizabeth provided her sample, and the lab technician scanned thebarcode, associating Elizabeth's genome sequence with the random samplenumber.

The genome was uploaded to the information service securely, and therandom sample number was used to look up Elizabeth's account and createa binding between her genome and her other account information.

The genetic information service was created in such a way that the genesequence itself may be freely copied among multiple research facilitiesin a protected form, but permission to decrypt or access that sequencemust be given by Elizabeth herself, as authenticated by the service.This architecture allows Elizabeth's gene sequence (which is a ratherlarge file of several gigabytes) to be distributed to researchers whomay be interested in using it in a study, but with all such uses auditedand controlled by Elizabeth.

When Elizabeth registered for the clinical trial, she was asked toapprove certain queries against her genome that the scientists designingthe study had asked for. For example, suppose the study was about breastcancer, and the researchers were asking for access to information aboutthe BRCA1, BRCA2, and TP53 genes.

Because Elizabeth approved these uses of her genome, for theseparticular researchers, the genetics service created severalcomputations to run against Elizabeth's genome that extract the requiredinformation and provide it to the authorized parties. These computationshave auditing requirements as well, which cause audit reports to be sentto the genetics service each time a computation is performed. ThusElizabeth can track how her information is being used, and by whom. Theservice binds these computations to the genome by digitally signing adata structure that cryptographically binds together the genome and thecomputation, e.g., as described elsewhere herein.

At some later date, one of the researchers involved in the studydiscovers what he believes to be a new connection between theperformance of the anti-cancer drug and a heretofore unknown geneticmechanism.

Using the genetics service, the researcher performs a query to identifya likely research cohort from among all people that have accounts in theservice. This query identifies people who have participated in previousstudies on breast cancer without revealing their identities to theresearcher.

The researcher uncovers 130 candidates for his new study, but he doesnot know who they are. There may be other candidates in the system, butthey have signaled that they are not interested in participating infuture studies, so they are not shown as candidates to the researcher.

Using an interface provided by the genetics service, the researcheruploads a computation into the system that will interrogate the genometo test for the hypothesized patterns.

The researcher created this computation using software in his lab, andverified it by running it against genomes to which he had full access.

He uploaded the computation to the service through an interface thatallowed him to specify metadata about the computation (what it would beused for, etc.) and to digitally sign the computation using a key thathe controls.

Using the genetics service, the researcher asks each of the 130candidates if they are willing to participate. For those that agree, theservice binds the new computation to their respective genome sequenceswith the condition that only the originator of the computation may runit—the holder of the private key corresponding to the public key used tosign the computation.

These computations are forwarded to the researcher as they come in, andthe researcher applies them to the genome sequences he already has inhis lab, or downloads copies of the relevant genome sequences if he nolonger has copies.

The researcher discovers something peculiar about Elizabeth's particularsequence and uses the service to send her an anonymous message askingher to contact him. Over the phone, the researcher explains what he isfinding, and asks Elizabeth for permission to access her whole sequenceso that he may investigate further.

Using the service, Elizabeth creates a computation, binds it to hergenome, and sends it to the researcher. The computation allows thatspecific researcher to run any additional computation against hergenome, so long as he runs it in a trusted environment, and requiresthat each such access be audited.

In effect, Elizabeth has delegated to the researcher the ability to bindany new computations to her genome, so long as he is authenticated andusing the trusted environment to perform the computation. This allowsElizabeth a degree of control over her genome that she would not have ifshe simply gave the researcher an unprotected file.

Technically, this might take the form of a pre-computation required byElizabeth that authenticates the next computation in the chain (the oneproposed by the researcher) according to conditions that Elizabeth hasset. It might also be implemented as a post-condition that first runsthe researcher's proposed computation and then allows or disallowsoutput depending upon the conditions.

The researcher may request the ability to bind other types ofcomputations (for example, to allow collaborators to interrogateElizabeth's genome), but he must first obtain Elizabeth's permission tobind and distribute these computations.

Scientific Research

Josh is a social sciences researcher who is publishing a paper in anarea with political overtones. He knows in advance that his findingswill be controversial among certain political groups, and that he willbe accused of filtering the data to suit his own political agenda. Heneeds to be able to prove that he did not, for example, omitinconvenient samples, but he needs to be able to prove this withoutrevealing the raw data itself, which might be used to identify hisresearch subjects.

Josh collects his data in a well-defined format, carefully documentingthe source of his data (and ideally collecting signatures or biometricsthat can be used for later verification). He creates a series ofprograms as part of his research that process the data and extractstatistics. Once he has made some conclusions about the data, hepackages the data into one container and encrypts it with a symmetrickey that he generated.

Josh packages the computations that he has used to compute his finalresults, including, for example: A series of computations that producecertain statistical tables to appear in his paper, computations thatproduce the various figures/graphs for his paper, and/or the like.

Josh binds these computations to his raw data, using techniquesdisclosed elsewhere herein, and puts the packaged data and computationstogether on a publicly-accessible website.

Josh publishes his paper. When a critic charges him with selective datamanipulation, Josh directs the critic to the website, where he maydownload Josh's original data package and computations to perform theexperiments himself.

The critic downloads the data set and verifies that the data have notbeen tampered with since being packaged, that the computations producethe results shown in Josh's paper, and that the computations themselves,which are in a human-readable format, do not attempt to eliminate datathat do not support the conclusion.

After verifying these things, the critic still does not accept Josh'sconclusions. The critic believes that Josh has ignored the biasinginfluence of a particular factor. The critic creates a modified versionof one of Josh's computations that accounts for the biasing factor, andproposes the computation to Josh.

Josh accepts the criticism as valid, signs the computation to bind it tohis data set, and sends the binding back to the critic, who runs the newcomputation against the data. As it turns out, Josh's conclusions stillhold, and Josh now includes the critic's proposed computation as part ofhis public package for verifying his results.

It will be appreciated that there are number of ways to implement thesystems and method described herein. For example, in some embodimentsthe systems and methods describe herein can be used in connection withthe digital rights management technology described in the '693application, and/or the digital rights management or serviceorchestration technology described in commonly assigned U.S. patentapplication Ser. No. 10/863,551 (Publication No. 2005/0027871) (“the'551 application”) (the contents of both the '693 application and the'551 application are hereby incorporated by reference in theirentirety), although any other suitable DRM and/or services technologycould be used instead.

FIG. 3 shows an illustrative system 300 for governing electroniccontent, including derived resources such as those described herein. Asshown in FIG. 3, an entity 302 holding rights in electronic content 303,packages the content for distribution and consumption by end users 308a-e (referred to collectively as “end users 308,” where referencenumeral 308 refers interchangeably to the end user or the end user'scomputing system, as will be clear from the context). For example,entity 302 may comprise a content owner, creator, or provider, such asan individual, a researcher, a musician, movie studio, publishing house,software company, author, mobile service provider, Internet contentdownload or subscription service, cable or satellite televisionprovider, the employee of a corporation, or the like, or an entityacting on behalf thereof, and content 303 may comprise any electroniccontent, such as personal healthcare data, genetic information, researchresults, digital video, audio, or textual content, a movie, a song, avideo game, a piece of software, an email message, a text message, aword processing document, a report, or any other entertainment,enterprise, or other content.

In the example shown in FIG. 3, entity 302 uses a packaging engine 309to associate a license 306 and one or more computations 307 with thepackaged content 304. License 306 is based on the policies 305 or otherwishes of entity 302, and specifies permitted and/or prohibited uses ofthe content and/or one or more conditions that must be satisfied inorder to make use of the content, or that must be satisfied as acondition or consequence of use. Computations 307 provide various viewsof the content, in accordance with the policies specified by license306. The content may also be secured by one or more cryptographicmechanisms such as encryption or digital signature techniques, for whicha trust authority 310 may be used to obtain the appropriatecryptographic keys, certificates, and/or the like.

As shown in FIG. 3, packaged content 304, licenses 306, and computations307 can be provided to end users 308 by any suitable means, such as viaa network 312 like the Internet, a local area network 311, a wirelessnetwork, a virtual private network 315, a wide area network, and/or thelike, via cable, satellite, broadcast, or cellular communication 314,and/or via recordable media 316 such as a compact disc (CD), digitalversatile disk (DVD), a flash memory card (e.g., an Secure Digital (SD)card), and/or the like. Packaged content 304 can be delivered to theuser together with license 306 and/or computations 307 in a singlepackage or transmission 313, or in separate packages or transmissionsreceived from the same or different sources.

The end user's system (e.g., a personal computer 308 e, a mobiletelephone 308 a, a television and/or television set-top box 308 c, atablet 308 d, a portable audio and/or video player, an eBook reader,and/or the like) contains application software 317, hardware, and/orspecial-purpose logic that is operable to retrieve and render thecontent. The user's system also includes software and/or hardware,referred to herein as a digital rights management engine 318, forevaluating the license 306 and computations 307 associated with thepackaged content 304 and enforcing the terms thereof (and/or enablingapplication 317 to enforce such terms), such as by selectively grantingthe user access to the content only if permitted by the license 306 andin accordance with computations 307. Digital rights management engine318 may be structurally or functionally integrated with application 317,or may comprise a separate piece of software and/or hardware.Alternatively, or in addition, a user's system, such as system 308 c,may communicate with a remote system, such as system 308 b, (e.g., aserver, another device in the user's network of devices, such as apersonal computer or television set-top box, and/or the like) that usesa digital rights management engine to make a determination 320 as towhether to grant the user access to content previously obtained orrequested by the user.

The digital rights management engine, and/or other software on theuser's system, or in remote communication therewith, may also recordinformation regarding the user's access to or other use of the protectedcontent. In some embodiments, some or all of this information might becommunicated to a remote party (e.g., a clearinghouse 322, the contentcreator, owner, or provider 302, the user's manager, an entity acting onbehalf thereof, and/or the like), e.g., for use in tracking use of theowner's personal information, allocating revenue (such as royalties,advertisement-based revenue, etc.), determining user preferences,enforcing system policies (e.g., monitoring how and when confidentialinformation is used), and/or the like. It will be appreciated that whileFIG. 3 shows an illustrative architecture and a set of illustrativerelationships, the systems and methods described herein can be practicedin any suitable context, and thus it will be appreciated that FIG. 3 isprovided for purposes of illustration and explanation, not for purposesof limitation.

FIG. 4 shows a more detailed example of a system 400 that could be usedto practice embodiments of the inventive body of work. For example,system 400 might comprise an embodiment of an end user's device 308, acontent provider's device 302, and/or the like. For example, system 400may comprise a general-purpose computing device such as a personalcomputer 308 e or network server 315, or a specialized computing devicesuch as a cellular telephone 308 a, personal digital assistant, portableaudio or video player, television set-top box, kiosk, gaming system, orthe like. System 400 will typically include a processor 402, memory 404,a user interface 406, a port 407 for accepting removable memory 408, anetwork interface 410, and one or more buses 412 for connecting theaforementioned elements. The operation of system 400 will typically becontrolled by processor 402 operating under the guidance of programsstored in memory 404. Memory 404 will generally include both high-speedrandom-access memory (RAM) and non-volatile memory such as a magneticdisk and/or flash EEPROM. Some portions of memory 404 may be restricted,such that they cannot be read from or written to by other components ofthe system 400. Port 407 may comprise a disk drive or memory slot foraccepting computer-readable media 408 such as floppy diskettes, CD-ROMs,DVDs, memory cards, SD cards, other magnetic or optical media, and/orthe like. Network interface 410 is typically operable to provide aconnection between system 400 and other computing devices (and/ornetworks of computing devices) via a network 420 such as the Internet oran intranet (e.g., a LAN, WAN, VPN, etc.), and may employ one or morecommunications technologies to physically make such connection (e.g.,wireless, Ethernet, and/or the like). In some embodiments, system 400might also include a processing unit 403 that is protected fromtampering by a user of system 400 or other entities. Such a secureprocessing unit can help enhance the security of sensitive operationssuch as key management, signature verification, and other aspects of thedigital rights management process.

As shown in FIG. 4, memory 404 of computing device 400 may include avariety of programs or modules for controlling the operation ofcomputing device 400. For example, memory 404 will typically include anoperating system 420 for managing the execution of applications,peripherals, and the like; a host application 430 for renderingprotected electronic content; and a DRM engine 432 for implementing someor all of the rights management functionality described herein. Asdescribed elsewhere herein, DRM engine 432 may comprise, interoperatewith, and/or control a variety of other modules, such as a virtualmachine 422 for executing control programs, and a protected database 424for storing sensitive information, and/or one or more cryptographicmodules 426 for performing cryptographic operations such as encryptingand/or decrypting content, computing hash functions and messageauthentication codes, evaluating digital signatures, and/or the like.Memory 404 will also typically include protected content 428 andassociated licenses and computations 429, as well as cryptographic keys,certificates, and the like (not shown).

One of ordinary skill in the art will appreciate that the systems andmethods described herein can be practiced with computing devices similaror identical to that illustrated in FIG. 4, or with virtually any othersuitable computing device, including computing devices that do notpossess some of the components shown in FIG. 4 and/or computing devicesthat possess other components that are not shown. Thus it should beappreciated that FIG. 4 is provided for purposes of illustration and notlimitation.

Although the foregoing has been described in some detail for purposes ofclarity, it will be apparent that certain changes and modifications maybe made within the scope of the appended claims. For example, whileseveral examples have been described that make use of a DRM engine suchas that described in the '693 application, it will be appreciated thatembodiments of the systems and methods described herein can beimplemented using any suitable software and/or hardware for governingcontent in accordance with rules or policy. It should be noted thatthere are many alternative ways of implementing both the processes andapparatuses described herein. Accordingly, the present embodiments areto be considered as illustrative and not restrictive, and the inventivebody of work is not to be limited to the details given herein, but maybe modified within the scope and equivalents of the appended claims.

1.-26. (canceled)
 27. A method for governing the use of a digitalresource, the method comprising: receiving one or more programsassociated with at least one user, wherein the one or more programs areconfigured to operate upon the digital resource when executed togenerate a derived digital resource by performing at least onecomputation on information contained in the digital resource;associating one or more rules with the digital resource, wherein therules correspond to one or more conditions for accessing the digitalresource; cryptographically associating the one or more programs withthe digital resource; and receiving a request to generate the deriveddigital resource from a system associated with the at least one user;executing the one or more programs to generate the derived digitalresource based on the digital resource, wherein the at least onecomputation comprises a computation that obscures at least a portion ofthe digital resource when executed to the generate the derived digitalresource such that the digital resource contains information that is notincluded in the generated derived digital resource, and whereinexecuting the one or more programs comprises enforcing the one or moreconditions for accessing the digital resource in connection withexecution of the one or more programs; and transmitting the deriveddigital resource to the system associated with the at least one user.28. The method of claim 27, wherein the computation that obscures the atleast a portion of the digital resource comprises a hashing computation.29. The method of claim 27, wherein the computation that obscures thatat least a portion of the digital resource comprises a computation thatperforms a mathematical transformation on the at least a portion of thedigital resource.
 30. The method of claim 29, wherein the mathematicaltransformation comprises transforming the at a least a portion of thedigital resource to a specified resolution.
 31. The method of claim 27,wherein the computation that obscures the at least a portion of thedigital resource obscures the at least a portion of the digital resourcebased in part on obfuscation information.
 32. The method of claim 31,wherein the obfuscation information comprises randomly generatedinformation.
 33. The method of claim 31, wherein the obfuscationinformation comprises pseudorandomly generated information.
 34. Themethod of claim 27, wherein the at least one program is associated witha set of users rather than an individual user.
 35. The method of claim34, wherein the set of users is specified by explicitly listing theusers for whom the at least one program applies.
 36. The method of claim34, wherein the set of users is specified by providing an attributecommon to the set of users, such that the at least one program isrequired for any user to whom said attribute applies.
 37. The method ofclaim 27, wherein the generated derived resource is dependent upon atleast one of the at least one user, a set of users, and anotherprincipal to whom the at least one program applies.
 38. The method ofclaim 27, further comprising: receiving a new set of programs configuredto operate upon the digital resource; and receiving a request forassociating the new set of programs with the digital resource.
 39. Themethod of claim 38, further comprising: approving the request forassociating the new set of programs with the digital resource.
 40. Themethod of claim 27, wherein cryptographically associating the one ormore programs with the digital resource comprises generating a digitallysigned document consisting of the pairing of a unique representation ofthe digital resource and a unique representation of the one or moreprograms to be associated with the digital resource.
 41. The method ofclaim 40, wherein the representation of the digital resource is theresult of applying a one-way function.
 42. The method of claim 41,wherein the one-way function comprises the SHA-1 hash function.
 43. Themethod of claim 40, wherein the representation of the digital resourceis a unique identifier associated with the digital resource.
 44. Themethod of claim 43, wherein the unique identifier associated with thedigital resource is assigned by a trusted third party.